February 15, 2022
February 15, 2022
You might be thinking: a CISO in the M&A space? Investors don't “do” technology – they’re focused on investment and ROI. In my 27 years in software security and IT leadership, I hadn’t heard of it either, but this unorthodox belief is why I came to ASG – we aren’t your typical investor.
As a CISO at ASG, I educate and support leaders of our companies through technology education and business strategy, which is why I’m excited to share my perspective on this year’s trends from a security perspective.
Every year, there are three traditions in information security (InfoSec):
1) The mid-May weekend is spent reading the Verizon Databreach Investigations Report
3) The annual "cyber security/information security trends for the next year."
A lot of people roll their eyes, but I pay attention to all three because they’re all connected. What we see in August's demonstrations is reflected in January's predictions and reported on in May.
Generally, security experts write about the previous year and express hope that this year will be better than the last. While COVID hasn't helped in the hope department, 2022 can be a better year from an information security perspective, especially if companies pay attention to the signs and trends. Let's look at the issues to be aware of:
The buzz for 2021 was "Software Composition Analysis" and "Software Bill of Materials," and rightly so. 2021 was the year we truly introduced software supply chain vulnerabilities at massive scale. While the SolarWinds attack opened the world’s eyes, other major attacks like Log4j showed how widespread these attacks could be. That "leading-edge" hacking technology has already found its way into the automated tools script kiddies use to execute their attacks, so the only reasonable expectation is to see more and more creative supply chain attacks, with more companies reporting breaches as they begin to detect and discover malicious activity within their networks.
The Open Web Application Security Project (OWASP) – a nonprofit foundation that works to improve the security of software – updated their Top 10 most critical security concerns, but honestly... it has been made up of the same basic weaknesses – such as server misconfiguration, SQL injection, or cross-site scripting attacks – just organized differently each year. I've been an ethical hacker for over a decade now, and I can pretty much deliver the same report to a client today as I wrote in my first year. What am I getting at? Most successful attacks aren't cleverly complicated; they just take advantage of basic, recurring weaknesses and vulnerabilities.
A report from the Ponemon Institute shared that phishing attacks cost large organizations almost $15 million annually and $200,000 for small to medium businesses (SMBs). Human behavior represents a big risk – we are overburdened, rushed and frankly, we're all exhausted thanks to the last two years. That won't improve in 2022 – human risk will still be a major factor in overall corporate security strategy.
Where I diverge with most annual predictions is this: I never give a prediction without strategies or solutions. The companies who weather 2022 successfully will be the companies who address the key basics. This includes:
The saddest prediction/trend to make is that it's still the basics and it will still be the basics for a long time. The one thing I can promise is that companies who observe the past attacks and incidents, learn from it, and prepare themselves in 2022 will find that they'll have fewer incidents with less overall impact.